cbcvebase.
CVE-2023-35674
published 2023-09-11

CVE-2023-35674: In onCreate of WindowState.java, there is a possible way to launch a background activity due to a logic error in the code. This could lead to local escalation…

PriorityP181high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2023-10-04
Exploited in the wild
EPSS
2.20%
80.3th percentile
In onCreate of WindowState.java, there is a possible way to launch a background activity due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected

14 ranges
VendorProductVersion rangeFixed in
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
platformframeworks_base>= 11:0 < 11:2023-09-0111:2023-09-01
platformframeworks_base>= 12:0 < 12:2023-09-0112:2023-09-01
platformframeworks_base>= 12L:0 < 12L:2023-09-0112L:2023-09-01
platformframeworks_base>= 13-next:0 < 13-next:2023-09-0113-next:2023-09-01
platformframeworks_base>= 13:0 < 13:2023-09-0113:2023-09-01

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability exists in WindowState.java onCreate method — monitor for unexpected background activity launches originating from unprivileged apps on Android 11, 12, 12L, and 13
  • Classify as local Elevation of Privilege (EoP) — no additional execution privileges or user interaction required, making it suitable for silent exploitation by a malicious app already on device
  • Track Android internal bug reference A-264029851 in vendor patch advisories and OEM firmware changelogs to confirm patch application
  • This vulnerability is listed in CISA KEV (Known Exploited Vulnerabilities) catalog — treat as actively exploited in the wild; prioritize detection on Android Framework versions 11, 12, 12L, and 13
  • ·Affected AOSP versions are 11, 12, 12L, and 13 only — Android 14 and later are not listed as affected
  • ·The vulnerability is described as 'unspecified' in the CISA KEV entry, meaning full technical exploitation details are not publicly disclosed — detection must rely on behavioral indicators (unexpected background activity launches) rather than specific payload signatures

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck7.8HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.